0

i have Response in XML format from my IDP and want to use opensaml2 to validate it. How can it be done?

Gobliins
  • 3,848
  • 16
  • 67
  • 122

1 Answers1

2

According to the OpenSAML2 offical docs (doc1 & doc2), you can try to use the code below to validate the saml xml response with OpenSAML.

// Initialize the library
DefaultBootstrap.bootstrap(); 

// Get parser pool manager
BasicParserPool ppMgr = new BasicParserPool();
ppMgr.setNamespaceAware(true);

// Get org.w3c.dom.Document Object from response
HttpURLConnection req = (HttpURLConnection) new URL("<saml-xml-url>").openConnection();
// Add some necessary headers for the request
// req.addRequestProperty("...", "...");
// ...
InputStream in = req.getInputStream();
Document inCommonMDDoc = ppMgr.parse(in);

// Get the DOMSource from org.w3c.dom.Document Object
DOMSource domSource=new DOMSource(document);  

//Add an extension schema via the code SAMLSchemaBuilder.addExtensionSchema(String schema) if necessary
Schema schema = SAMLSchemaBuilder.getSAML11Schema();

// Get a Validator instance.
Validator validator = schema.newValidator();
try {
    validator.validate(domSource);
    System.out.println("Result : Valid!");
} catch(Exception e) {
    System.out.println("Result : Invalid!");
}
Peter Pan
  • 23,476
  • 4
  • 25
  • 43
  • Tried it, strangely i get a `cvc-elt.1: Cannot find the declaration of element samlp:Response` but the first element of the XML is actually ` – Gobliins Nov 02 '16 at 12:15
  • one more thing tough, how can i change the SAML11 Schema to a SAML2 Schema ? – Gobliins Nov 02 '16 at 12:16
  • @Gobliins, According to the javadoc of Class [SAMLSchemaBuilder#getSAML11Schema](http://www.atetric.com/atetric/javadoc/org.opensaml/opensaml/2.6.1/org/opensaml/common/xml/SAMLSchemaBuilder.html#getSAML11Schema--), the `SAML11` schema support to validate SAML2. – Peter Pan Nov 03 '16 at 08:40
  • Hello, when i understand correctly, we did a schema validation, but what i really was trying to check the integrity of the Response. If it was really from my IDP. I have created a new Question, maybe you can have alook at https://stackoverflow.com/questions/40397722/opensaml-how-to-check-if-saml-response-signature-cert-is-really-from-my-idp – Gobliins Nov 03 '16 at 09:20